---
title: How to manage Access Control Lists (ACLs)
sidebarTitle: Access Control Lists (ACLs)
description: Restrict block and deployment access to individual actors within a workspace. 
---

Prefect Cloud's [Enterprise plan](https://www.prefect.io/pricing) offers object-level access control lists (ACLs) to restrict access to 
specific users and service accounts within a workspace. ACLs are supported for blocks, deployments, and work pools.

Organization Admins and Workspace Owners can configure access control lists by navigating to an object and clicking **manage access**.
When an ACL is added, all users and service accounts with access to an object through their workspace role will lose access if not 
explicitly added to the ACL.

<Note>
**ACLs and visibility**

Objects not governed by access control lists such as flow runs, flows, and artifacts are visible to a user within a 
workspace even if an associated block or deployment has been restricted for that user.
</Note>

See the [Prefect Cloud plans](https://www.prefect.io/pricing) to learn more about options for supporting object-level access control.

## ACL delegation for work pools and deployments

Deployments can delegate their permission checks to work pools. This delegation works as follows:

1. If a work pool has ACLs configured, those ACLs apply to all deployments that use the work pool.
2. If a work pool does not have ACLs, the ACLs of the individual deployments apply instead.

This delegation system allows for more efficient management of permissions, especially when multiple deployments use the same work pool.
